User control of anonymized profiling data using public and private blockchains in an electronic ad marketplace

ABSTRACT

The disclosure relates to securing and enabling user control of profiling data, blockchain-driven matching of users and advertiser-identified anonymous profiling data records of interest, and smart contracts encoded by blockchain for executing transactions. The system may include an anonymized database of profiling data, which is unlinked to any user. The system may implement a private blockchain to store user-defined settings that provide user control over whether and how the profiling data may be used. If a grant to use the data is received, a link is stored that allows the system to identify a user associated with the anonymous profiling data records. If the grant is revoked, the link may be removed. The system may also implement public blockchain technology to record a public information relating to grants, online marketing transactions, making them verifiable, immutable, and transparent for various stakeholders including advertisers, publishers, and users.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.17/361,157, filed Jun. 28, 2021, entitled “USER CONTROL OF ANONYMIZEDPROFILING DATA USING PUBLIC AND PRIVATE BLOCKCHAINS IN AN ELECTRONIC ADMARKETPLACE”, which is a divisional of U.S. patent application Ser. No.15/995,158, filed Jun. 1, 2018, entitled “USER CONTROL OF ANONYMIZEDPROFILING DATA USING PUBLIC AND PRIVATE BLOCKCHAINS IN AN ELECTRONIC ADMARKETPLACE” (which issued as U.S. Pat. No. 11,049,148 on Jun. 29,2021), which is hereby incorporated herein by reference in its entirety.

FIELD OF THE INVENTION

The field of the invention relates to securing and enabling user controlof profiling data, use of a private blockchain to facilitate matching ofusers and anonymous profiling data records of interest, and use of apublic blockchain to transparently and immutably publish systemactivity.

BACKGROUND OF THE INVENTION

Electronic data mining based on online network activity has compromisedthe security and privacy of user data. The openness of the Internet hasfueled its popularity, but various models around delivering onlinecontent has led to many closed, proprietary, solutions that exacerbatethe problem of online data security and privacy. For example, much oftoday's online content is supported through paywalls such as arequirement to pay for a subscription to access content, advertisingrevenue, or a combination of the two. To support advertising revenue,conventional electronic advertising exchanges have been developed.Because of the scale and complexity of data available over wide areanetworks such as the Internet, identifying relevant users that may havean interest in a specific subject matter of interest has becomeincreasingly difficult yet important for system efficiency.Conventionally, electronic ad exchanges focus on intensively mining userdata in order to provide increasing focus on relevant users at theexpense of user privacy. Users are growing increasingly wary of the useof their online data and the need to protect it. However, conventionalsystems do little to protect online data privacy. Furthermore, the lackof transparency caused by the electronic nature of these exchanges makesit difficult for advertisers, publishers, and users alike to trust thesesystems. These and other problems exist with online electronic adexchanges.

SUMMARY

The disclosure addressing these and other problems relates to securingand enabling user control of profiling data, blockchain-driven matchingof users and advertiser-identified anonymous profiling data records ofinterest, and smart contracts encoded by blockchain for executingtransactions. The system may include an anonymized database of profilingdata, which is unlinked to any user. The system may implement a privateblockchain to store user-defined settings that provide user control overwhether and how the profiling data may be used. If a grant to use thedata is received, a link may be stored that allows the system toidentify a user associated with the anonymous profiling data records. Ifthe grant is revoked, the link may be removed. The system may alsoimplement public blockchain technology to record an public informationrelating to grants, online marketing transactions, making themverifiable, immutable, and transparent for various stakeholdersincluding advertisers, publishers, and users.

To facilitate the foregoing and other functions, the system may buildand maintain an anonymized database that stores anonymous profiling data(including different types of profiling data such as behavioral data,demographic data, etc.), user-facing applications that enable users tocontrol access to their profiling data, an advertiser-facing audiencebuilder application, and a secured private platform that securespersonal identifiable information through a private blockchain.

Users may enroll to receive advertisements and corresponding rewards. Anenrolled user may be assigned with a user identifier and a deviceidentifier for each device used by the user. The user identifier may beused internally by the system to identify the user. The user's personalidentifying information, demographic information, and/or other privateinformation may be stored in association with the user identifier. Whilegenerally kept in secure storage without access to others, this privateinformation may further be encrypted and secured prior to storage. Theprofiling data may be linked with the user identifier only whenpermitted by the user.

The device identifier may be transmitted to and stored at a user device.In some instances, the device identifier may be stored locally at thedevice, such as via a browser cookie. If a user grants access to useprofiling data or other data (e.g., personal identifying information ordemographic data), the system may store a link between the useridentifier and the device identifier(s). Revocation of this grant willresult in removal of the link. Removal of the link will remove anability to associate a user with anonymous profiling, as will bedescribed below.

Grants may permit use of data derived from some or all of the userdevices, particular types of profiling data, particular types ofadvertisements and other types of grants. The system may receive andstore user-defined grants to the private blockchain in association withthe user identifier. In particular, the user-defined access grants maybe stored in the private blockchain in association with a user's walletaddress.

When the user device generates activity that results in profiling data(such as by browsing an Internet site, conducting online shopping,etc.), a participating platform such as a website of a publisher and/orthe user device may provide the profiling data and the device identifierto the system. The system may generate an anonymous profiling datarecord containing a unique record identifier and the profiling data. Theunique record identifier may be generated to uniquely identify theanonymous profiling data record, which may be stored in an anonymizeddatabase. By themselves, anonymous profiling data records in theanonymized database cannot be used to identify a user.

The system may determine whether the device identifier is linked with auser identifier, indicating that the user has permitted use of theuser's profiling data. The system may also determine whether the userhas permitted use of the type of profiling data contained in theanonymous profiling data record. This determination may includedetermining whether use of the type of incoming profiling data ispermitted (for example, if the type of profiling is web browsing,whether the user has granted access to web browser data), whether thegrant has expired, and/or whether other user-defined settings permitsuch use. The system may link the anonymous profiling data record to auser identifier if the user has permitted such use. In this manner, agiven anonymous profiling data record in the anonymized database 14 maybe linked to a user only when a user has granted permission to useeither all or specified profiling data.

The system may write the unique record identifier from the anonymousprofiling data record, the user identifier, and a grant transactionidentifier to the private blockchain. In this manner, the block may belater consulted to identify whether the anonymous profiling data recordmay be used to target the user. If the permission is revoked by theuser, the link may be deleted, thereby erasing the linkage between theuser identifier and the device identifier. In some instances, a grantmay be revoked by writing a new entry in the private blockchain, and theexistence of this revocation will cause any links to anonymizedprofiling data records to be ignored.

In some instances, the system may write the grant transactionidentifier, a date of the grant of access to the anonymous profilingdata record, type of personal identifiable information permitted to beused (if applicable), a duration of the grant, and/or other informationto the public blockchain for public access and transparency relating tothe grant.

Specifying an Audience through an Audience Definition

The system may provide interfaces and tools to build and transmit anadvertiser request for processing at the secured private platform. Theinterfaces and tools may include options for filtering anonymous data ofinterest so that advertisers may identify and specify data of interestbased on the anonymous profiling information even if the advertisers donot know the identity of the users associated with the data. In aparticular example, an advertiser may target users who are aged 18-30and browse sporting goods items. The system may identify anonymousprofiling data records that correspond to these specifications. Othertypes of profiling data may be targeted as well. Once an audience hasbeen specified, the system may build a list of anonymous identifiers(such as unique record identifiers) that are associated with thespecified profiling data.

The request may include an advertiser identifier, advertisement campaignparameters (such as pricing model/information—bid amount, cost perclick, cost per impression, etc., a maximum budget, a starting and/orending date of the campaign), the list of anonymous identifiers, a typeof channel to deliver the advertisement (such as via email, social mediaplatform, mobile notification, etc.), advertising content, and/or otherinformation that describes an advertisement to be distributed. In someinstances, the request may be persistent unless it expires or iscanceled by the advertiser. While the audience order is unexpired andnot canceled, the system may periodically update relevant users who haveprofiling data that match the specifications in the request and who havepermitted use of their profiling data.

In some instances, the system may encode the request as a digital objectfor input to specific handlers of the system. In these instances, theobject may include an expected action to take such as send an email withan advertisement, provide an advertisement via social media, calculatedata or rewards, return a query result, etc. An appropriate handler maybe identified and may validate the request. In some implementations,each handler may be pre-compiled into the system, thereby ensuring theintegrity of input handling and processing.

Audience Assembly and Ad Delivery

Each handler may identify appropriate users, with specific functionalityfor each handler to facilitate actual delivery of an advertisement; itmay also be used in a similar fashion for analytics and behavioral datameasurement of audiences. For example, some handlers may deliver ads (asused herein, “ads” will be used interchangeably with “advertisements”)to specific channels like emails or social media accounts, while otherhandlers may add ads to an advertisement queue. Similarly, a handler maybe designed to create a table of aggregate analytics reports likeshowing the distribution of people in the audience of users acrossdemographics (such as gender, users that spend X dollars per year/monthon electronics, etc.). The following functionality is common amongst thehandlers. A handler may consult the private blockchain and the linkingdatabase to determine whether any of the anonymous identifiers specifiedby the request is linked to a user that has authorized use of theirprofiling data. For these users, the system may store a link between theuser identifier and the anonymous identifier (e.g., a deviceidentifier). In some instances, the handler may also determine whetherthe user has granted permission to deliver the specific type of ad tothe user. If the user has granted access to the user's data and specificpermissions for the ad type requested has been granted, the handler mayadd that user to a list of recipients that should receive theadvertisement. The specific manner of delivery may vary depending on thespecific handler used to process the request.

Delivery Via Specific Channels

Some requests may require use of personal identifying information suchas a specific communication channel. For example, an advertiser mayspecify in the request that an advertisement be sent to relevant users'social media accounts, email addresses, and so forth (none which theadvertiser does not have access to). If so, an appropriate handler mayadd that user to be a recipient of the specified advertisement throughthe specified channel. The handler may cause the advertisement to betransmitted through the specified channel to the targeted recipient.Thus, while the advertiser identified an anonymous user that shouldreceive an advertisement, the advertiser does not know who thatanonymous user is. The system will be able to link the anonymous userwith personal identifiable information if the user has grantedpermission to do so.

Targeted Delivery Via the Advertising Queue

Some requests may not require use of personal identifying information,but still target certain users having certain profiling data. Forexample, the request may not specify that a user's communication channelbe used to communicate the ad, but may specify a set of anonymousidentifiers the advertiser wishes to target. In this example, a handlermay add the advertisement to a queue of advertisements to be deliveredto users who have permitted use of their profiling data (including anypermitted types of ads). For example, the queue may store advertisementidentifiers that are associated with device identifiers so that devicesinteracting with an affiliate website or other touch point may beprovided with the relevant ads in the ad queue.

Ads in the queue may be provided to users through a publisher's platformsuch as a website that provides the users' device identifiers storedlocally as a cookie. In these instances, if a user who has permitted useof his profiling data browses the website and the website providers adevice identifier, the system may provide the website with an ad fromthe ad queue for presentation in the website.

Ads in the queue may be provided to users based on logged in orsubscriber status with the ad service itself. For example, a browserextension or advertising iframe or html code can request whether or notthe user is logged in or has signed up for the ad service and, in thisscenario, may not need to use cookies to identify the applicable adqueues for a user.

Any clicks or interactions of the ad may be tracked for paymentpurposes. For instance, the advertiser may be charged per clickaccording to the ad budget in a request, the website may be providedwith a fee for serving the ad, and the user may be provided with areward for agreeing to permit use of his profiling data.

Untargeted Delivery Via the Advertising Queue

Some requests may not require use of personal identifying informationand not target certain users. In this case, processing may continue aswith the targeted delivery via an advertising queue, but without adsbeing previously associated with a system-generated user identifier. Forexample, the agent on a website may detect a system-generated useridentifier and transmit the identifier to the secure private platform.This indicates to the secure private platform that a user is browsing anaffiliate website. The secure private platform may select an ad from ageneral ad queue (one that is not targeted to users having particularprofiling data), check any user-defined settings that permit delivery ofthe ad, and transmit the ad to the website if delivery is permitted tothat user. Whichever handler is used to process a request, the systemmay deliver advertisements to users who have permitted used of theirprofiling data while not providing an personal identifying informationof the user to the advertiser.

Aggregated Analytics Reports from Secured Audience Data

An object type may also define an audience of users with a destinationof a report or analysis being created. Audience assembly service is usedin those cases that require access to private data or data secured onthe private blockchain. A handler is created with the analytics datatype. This allows the audience assembly to perform counts andmeasurement of the audience members as it assembles the matching users.This kind of data analysis occurs directly on anonymous data stores aswell but some scenarios require identity and/or private blockchaintransactions to be scored and tallied. For example, if the desire is tocreate a report that shows the age distribution of users that received areward from a particular advertiser the advertiser may ask via theaudience assembly “What are the age ranges of people that saw my adslast week”. The reply from the handler, instead of being a new ad beingdelivered like in the other scenarios, creates a report that groups theage ranges of those people that received an ad in that time period.

Electronic Ad Marketplace

The system may provide an electronic ad marketplace that includeselectronic interfaces and tools for advertisers and publishers totransparently participate in an electronic advertising marketplace. Forexample, electronic ad marketplace may receive advertisement informationfrom advertisers. The advertisement information may include theadvertisement content in any format (e.g., video, audio, text, graphics,etc.), an electronic address such as a Uniform Resource Locator (URL) tothe advertisement content, metadata relating to the advertisement (e.g.,size, type, format, etc.), advertisement campaign parameters, and/orother information relating to the advertisement that the advertiserwould like to be provided to users via the secure private platform. Theelectronic ad marketplace may publish the advertisement information,such as by writing the advertisement information to the publicblockchain.

The electronic ad marketplace may receive publisher information frompublishers. The publisher information may include an electronic addressof the publisher (such as a URL of the publisher's website), a locationof the space allocation on the website for advertisements, sizeallocated for the advertisement (such as absolute dimensions, relativedimensions, etc.), publishing parameters such as a minimum asking pricefor publishing an ad, subject matter for a given site, and/or otherinformation relating to the publisher. The electronic ad marketplace 40may publish the publisher information, such as by writing the publisherinformation to the public blockchain.

Some or all of the advertisement information and/or publisherinformation may be written to the public blockchain, thereby creating animmutable record of the information. In this way, advertisementinformation and publisher information may not be tampered with.

In an implementation, electronic ad marketplace may generate one or moresmart contracts based on the advertisement information, the publisherinformation, reward information, and/or other information that may beused to self-execute an agreement between parties. For example, a smartcontract may encode one or more rules that execute terms of a contractif the campaign parameters have been satisfied, the publisher'sparameters have been satisfied, the advertisement has been transmittedto a user, which may occur via a publisher. The terms of the contractmay include the bid amount an advertiser is willing to pay, an amount tobe paid to a publisher, an amount to be rewarded to a user forpermitting use of his profiling data, and/or other terms.

Additional checks can, at any time after the blockchain record iscreated, verify whether the assets being referred to in theadvertisement have changed from the original blockchain record. Ifassets have changed, the Ad Marketplace will automatically de-list theadvertisement from any active ad contracts. It may further be used toflag the advertiser in the marketplace. For example, an advertiseroriginally shows a legitimate ad image that they later attempt toreplace with adult content in which case the ad itself becomes de-listedand removed from all contracts and the advertiser is flagged aspotentially being compromised.

These and other objects, features, and characteristics of the systemand/or method disclosed herein, as well as the methods of operation andfunctions of the related elements of structure and the combination ofparts and economies of manufacture, will become more apparent uponconsideration of the following description and the appended claims withreference to the accompanying drawings, all of which form a part of thisspecification, wherein like reference numerals designate correspondingparts in the various figures. It is to be expressly understood, however,that the drawings are for the purpose of illustration and descriptiononly and are not intended as a definition of the limits of theinvention. As used in the specification and in the claims, the singularform of “a”, “an”, and “the” include plural referents unless the contextclearly dictates otherwise.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates an example of a system of securing and enabling usercontrol of profiling data, use of a private blockchain to facilitatematching of users and anonymous profiling data records of interest, anduse of a public blockchain to transparently and immutably publish systemactivity, according to an implementation of the invention.

FIG. 2 illustrates an example of a process of registering a user andgenerating anonymous identifiers for the user, according to animplementation of the invention.

FIG. 3 illustrates an example of a process of obtaining user-definedsettings for permitting access to the user's profiling data, accordingto an implementation of the invention.

FIG. 4 illustrates an example of a process of matching anonymous useridentifiers specified in an audience order with users that havepermitted use of their profiling data, according to an implementation ofthe invention.

DETAILED DESCRIPTION OF THE INVENTION

The disclosure relates to securing and enabling user control ofprofiling data, blockchain-driven matching of users andadvertiser-identified anonymous profiling data records of interest, andsmart contracts encoded by blockchain for executing transactions. Thesystem may include an anonymized database of profiling data, which isunlinked to any user. The system may implement a private blockchain tostore user-defined settings that provide user control over whether andhow the profiling data may be used. If a grant to use the data isreceived, a link is stored that allows the system to identify a userassociated with the anonymous profiling data records. If the grant isrevoked, the link may be removed. The system may also implement publicblockchain technology to record an public information relating togrants, online marketing transactions, making them verifiable,immutable, and transparent for various stakeholders includingadvertisers, publishers, and users.

Various examples used herein will describe advertisements forillustration and not limitation. Other types of marketing informationmay be provided to users as well. Furthermore, unless otherwise noted,the term “user” will be used to denote an end user who is provided withan advertisement.

FIG. 1 illustrates an example of a system 100 of securing and enablinguser control of profiling data, use of a private blockchain tofacilitate matching of users and anonymous profiling data records ofinterest, and use of a public blockchain to transparently and immutablypublish system activity, according to an implementation of theinvention. System 100 may include a computer system 110, a privateblockchain 10, a public blockchain 12, one or more user devices 120, ananonymized database 14 (illustrated as “anon. database 14), one or moreadvertisers 140, one or more publishers 150, and/or other components.The computer system 110 may provide a secured private platform throughwhich advertisers 140 may provide targeted advertisements to users (suchas via their user devices 120) who permit use of their profiling data.In some instances, the advertisements may be delivered to users viapublisher platforms 150.

The private blockchain 10 may store user-defined privacy settings, arecord of advertisement delivery by the computer system 110, a link toone or more records in the public blockchain 10, and/or other data thatis not publicly made available. The user defined privacy settings mayspecify whether and what types of profiling data may be used by thecomputer system 110, types of ads that are permitted, an expiration ofsuch permission, and/or other settings that define control over the useof the profiling data. In this manner, the user may have “ownership”over the user's profiling data. The record of advertisement delivery mayinclude information that specifies when an advertisement was delivered,an identification of the advertisement, a channel in which it wasdelivered (such as via email or general ad), and/or other informationthat can be used to verify that the advertisement was actuallydelivered.

The private blockchain 10 may include one or more nodes that areconnected to one another using one or more connection protocols,including a peer-to-peer connection protocol. The particular number of,configuration of, and connections between the nodes may vary. Theprivate blockchain 10 may include a private distributed ledger that eachnode may store. The computer system 110 may restrict access to theprivate blockchain 10, securing its privacy. For example, inimplementations in which a user wallet 122 configures user device 120 asa node in the private blockchain 10, the user wallet 122 may access onlydata pertaining to the user device 120 via public-private keyencryption. In this example, data on the private distributed ledger or ablockchain transaction relevant to a given user wallet 122 may beencrypted by the computer system 110 using the user wallet' public keysuch that only the user wallet's private key can decrypt its contents.

The public blockchain 12 may store a user's reward balance, informationrelating to when a user granted access to the user's profiling data,information relating to when an audience order was made, anadvertisement submitted by an advertiser 140 for provision to users, alisting of offered space (such as within a website) of a publisher 150in which the advertisement can be placed, reward payment information,and/or other information that is made available to the public fortransparency.

The public blockchain 12 may include one or more nodes that areconnected to one another using one or more connection protocols,including a peer-to-peer connection protocol. The particular number of,configuration of, and connections between the nodes may vary. The publicblockchain 12 may include a public distributed ledger that each node maystore. Unlike the private distributed ledger of the private blockchain10, the public distributed ledger of the public blockchain 12 may beread and written to by any node that is registered with the publicblockchain.

Each of the private and public blockchains (10, 12) may be implementedin various ways, except that the private blockchain 10 may enforcecredentialed access to a distributed ledger, as described above. In eachblockchain, a corresponding distributed ledger may include a series ofblocks of data that reference at least another block, such as a previousblock. In this manner, the blocks of data may be chained together. Anexample of a distributed ledger is described in the well-known whitepaper “Bitcoin: A Peer-to-Peer Electronic Cash System,” by SatoshiNakamoto (bitcoin.org), the contents of which are incorporated byreference in its entirety herein. Other blockchain platform technologiesmay be used as well, such as the Ethereum platform, described in thewhite paper, “Ethereum Specification”(https://github.com/ethereum/wiki/wiki/White-Paper), the contents ofwhich are incorporated by reference in its entirety herein.

The anonymized database 14 may store profiling data, which may beconsidered private data of a user. For example, the profiling data mayinclude behavioral, demographic, location, and/or other data relating tothe user. The behavioral data may include shopping data, Internetbrowsing data, and/or other online activity information of a user. Thelocation information may include a current location of a user, historiclocation of a user, and/or other information that indicates a place,address, or other geolocation of a user. The profiling data may beanonymized by storing only an anonymous identifier in association withthe profiling data.

The linking database 16 may store a link between a user identifierassigned to the user and a device identifier if the user has grantedpermission to use the user's profiling data. The user identifier may bestored in association with personally identifiable information of theuser. The link may be deleted if the user revokes the permission. Inthis case, any linkage between the user identifier and the deviceidentifier will be lost and the profiling data will not be identifiablylinked to the user.

User Control of Profiling Data

The user-facing applications 30 may provide interfaces that allow a userto provide user-defined settings that control whether and to what extentthe user's personal identifiable information and profiling data may beused. The user-defined settings may include advertising preferences, asetting that controls whether the personal identifiable information andprofiling data of the user may be used for advertising, and/or othersettings controlled by a user. As used herein, a permission from a userthat permits the system to use certain data such as ad preferences,personal identifiable information and profiling data will also bereferred to as a “grant.”

The ad preferences may specify characteristics of ads that are permittedby the user. These ad characteristics may include a format (such asvideo, audio, text, etc.), duration (such as runtime length), and/orother ad parameter that can be used to filter ads for presentation tothe user. As described herein, because users may be rewarded forreceiving and/or interacting with ads, less preferences will lead toless filtered ads and therefore the potential for greater rewards. Onthe other hand, more preferences (and more privacy) may result in apotential for lesser rewards. This balance may be controlled by the useraccording to user preferences.

Through the user-defined setting relating to personal identifiableinformation, the user may control whether marketing information may besent to the user through the user's email address, social media account,or other communication channel. The personal identifiable informationmay include, for example, an email address, a social media account, aname, and/or other information that may be used to personally identify auser. The user may also control whether and which types of profilingdata may be used for targeting.

An example of a process of registering a user and generating anonymousidentifiers for the user will now be described with reference to FIG. 3. In an operation 202, process 200 process 200 may receiving userinformation. The user information may include personal identifyinginformation, demographic information, and/or other information relatingto the user.

In an operation 204, the user may be assigned with a user identifierthat the secure private platform uses to identify the user. This useridentifier may be used internally by the secure private platform toidentify the user and any permissions granted by the user to use theuser's profiling data. The user's personal identifying information,demographic information, and/or other private information may be storedin association with the user identifier. The user may also be assignedwith a wallet address for a private wallet 122, which may be associatedwith the user identifier in the system, so that information on theprivate blockchain 10 relating to the user may be obtained using thewallet address.

In an operation 204, process 200 may assign a user identifier for theuser and a device identifier for a device (such as user device 120) ofthe user. The device identifier may be transmitted to and stored at theuser device 120 used by the user to enroll. In some instances, thedevice identifier may be stored locally at the device, such as via abrowser cookie. When the user device 120 accesses a participatingplatform such as a website of publisher 150, the user device 120 mayprovide the device identifier, such as via the browser cookie. Thesystem may then determine whether the device identifier is associatedwith a user identifier and handle any profiling data according towhether the user has permitted use of this data. If the user uses a newuser device to access the website, then the website may request that theuser provide the user's user identifier so that the new user device maybe assigned with a new device identifier, which may also be linked withthe user identifier. In this manner, for each device, a deviceidentifier may be assigned to identify the device. As such, activity onthe device (including shopping activity, online browsing activity,geolocation activity, etc.) may be monitored and stored as profilingdata, as will be described below. The device identifier by itself cannotbe used to identify a user. The device identifier(s) and the useridentifier are not stored in association with one another unless theuser has granted permission to use the user's profiling data. In thismanner, if the user has not granted such permission, the profiling dataassociated with the device identifier cannot be linked with a specificuser. In some instances, the system may associate specific permissionswith specific devices. For example, the user may specify that profilingdata derived from one device of the user may be used, while profilingdata derived from another one of the user's devices may not be used.

In an operation 208, process 200 may include storing the user-definedaccess grants to the private blockchain 10 in association with the useridentifier. In particular, the user-defined access grants may be storedin the private blockchain 10 in association with the user's walletaddress. For example, the data grant manager 32 may store the grants inthe private blockchain 10 in association with the user identifier (ormore particularly, in association with the user's wallet address for theprivate blockchain). For instance, based on input through theuser-facing applications 20, the data grant manager 32 may write aspecified grant to a blockchain transaction, which may be included in ablock of a distributed ledger of the private blockchain 10. Thedistributed ledger may encrypt any personal identifiable informationusing public key and private keys. Thus, the distributed ledger maysecurely store identifying information about the user and the user'ssettings with respect to what types of user data may be used about theuser, but not the profiling data itself. In this manner, third partieswill not have access to any of the profiling data or personallyidentifiable information unless the user permits such access via a usersetting. As such, none of the profiling data or personal identifiableinformation is exposed to the public unless permitted by the user, whilemaintaining an immutable record of the user's settings that permit (ordeny) the use of the user's personal identifiable information andbehavioral data. The user may later view and modify the user's settingssuch as using the private wallet 122, and any changes may be recorded tothe private blockchain 10.

Generating Anonymized Profiling Data

Generating anonymized profiling data will now be described withreference to FIG. 3 . In an operation 302, process 300 may includereceiving profiling data and an anonymous identifier such as a deviceidentifier. A brief overview of how the profiling data is generated willbe described. In operation, a user registered to use the system mayconduct activity on a user device 120 that includes one or more agents126. The one or more agents 126 may include programs that monitoractivity on the user device 120 and report this activity to the computersystem 110. For example, an agent 126 may include a browser extension, amobile application, a platform-specific application (such as anelectronic shopping application), and/or other types of user applicationthat can report user activity that may be used as profiling data. As oneexample, the browser extension may be configured as a script thattransmits browser history information and a device identifier to thecomputer system 110, which stores the browser history informationanonymously linked to the device identifier in the anonymous database14. Other agents 126 may monitor and provide other types of profilingdata.

In some instances, the one or more agents 126 may store the deviceidentifier of an enrolled device. For instance, an agent 126 may storethe device identifier as a browser cookie as previously described withreference to FIG. 3 . If a device identifier is not stored, the agent126 may determine whether the device is enrolled to use the system. Ifso, then the device identifier may be obtained from the secure privateplatform and stored as a cookie. If the agent 126 determines that thedevice is not enrolled to use the system, the agent 126 may request thatthe user enroll the device, as described above. The agent 126 maytransmit the profiling data along with the device identifier, which isreceived at operation 402.

In an operation 304, process 300 may include generating an anonymousprofiling data record containing a unique record identifier and theprofiling data. The unique record identifier may be generated touniquely identify the anonymous database record. The anonymous databaserecord may be stored in anonymized database 14. As such, by themselves,anonymous profiling data records in the anonymized database 14 cannot belinked to any user.

In an operation 306, process 300 may include determining whether thedevice identifier is associated with a user that has permitted use ofthe type of profiling data contained in the anonymous profiling datarecord.

Linking Anonymized Data Records to Users Based on User Grants

In an operation 308, process 300 may include linking the anonymousprofiling data record to a user identifier if the user has permittedsuch use. As previously noted, if a user has granted permission to usethe user's profiling data, a link between a user identifier and theuser's device identifier may be stored. In some instances, the link maybe stored in a smart contract that also stores or otherwise consults theuser-defined grants. When the profiling data and device identifier arereceived from the agent 126, the data grant manager 32 may identify auser associated with the device identifier and grants from the user (ora smart contract that is associated with the device identifier). Thedata grant manager 32 may determine whether the user has previouslypermitted use of the profiling data. This determination may includedetermining whether use of the type of incoming profiling data ispermitted (for example, if the type of profiling is web browsing,whether the user has granted access to web browser data), whether thegrant has expired, and/or whether other user-defined settings permitsuch use.

In some implementations, the system may include write the unique recordidentifier from the anonymous profiling data record, the useridentifier, and a grant transaction identifier to the private blockchain10. For example, if the user has permitted use of the profiling data,the data grant manager 32 may generate a private blockchain transactionthat contains the unique record identifier, the user identifier, and agrant transaction identifier that uniquely identifies this transaction.This private blockchain transaction may be written to a distributedledger of the private blockchain 10 and later consulted to identify theuser in the event that the anonymous profiling data record associatedwith the unique record identifier is matched with an audience definitionfrom an advertiser 140, as will be discussed below. In this manner, agiven profiling data record in the anonymized database 14 may be linkedto a user only when a user has granted permission to use either all orspecified profiling data. If the permission is revoked by the user, thelink may be deleted, thereby erasing the linkage between the useridentifier and the device identifier. Thus, any anonymous profiling datarecord cannot be linked to a user. In some instances, this functionalitymay be encoded as a smart contract so that creation or deletion of alink is automatic upon user input and is transparent so that users andothers can verify this functionality.

In some instances, the data grant manager 32 may generate a publicblockchain transaction that contains the grant transaction identifier, adate of the grant of access to the anonymous profiling data record, typeof personal identifiable information permitted to be used (ifapplicable), a duration of the grant, and/or other information forpublic access and transparency. The data grant manager 32 may write thepublic blockchain transaction as to the public blockchain 12.

In some instances, the user's public and/or private wallets may provideaccess for the user to view or modify the user-defined settings. Forexample, the data grant manager 32 may receive a request to revoke agrant. Such revocations may affect future and previous grants to useprofiling data. The revocation request may be to revoke a general grant(such as a previous grant to email the user). In this case, the grantwill be removed. If written to the private blockchain 10, for example, anew block may be written that revokes any previous grant. Alternatively,the block containing the original grant may be burned in a privateblockchain. If the revocation request relates to a specific granttransaction identifier, then the particular grant for that granttransaction identifier may be revoked in a similar manner by revokingthe block in the private blockchain 10 pertaining to the granttransaction identifier. Doing so will “orphan” the correspondinganonymous profiling data record since it will no longer be linkable to auser. In some instances, revocations will be enacted upon expiration ofa grace period after a revocation request has been made. In this manner,a user may rollback or cancel a revocation request before this graceperiod expires. In some implementations, if a user deletes an agentoperating on the user device 120, data relating to that device may beorphaned. If the agent is re-installed on the user device 120 and theuser signs in with the system-generated user identifier, the profilingdata may be re-linked with the user if the device identifier has beenretained on the user device. However, if the device identifier has alsobeen removed from the device, and a new device identifier is assigned tothe user device 120, the previous profiling data associated with thedevice may be permanently orphaned.

Specifying an Audience Through an Audience Definition

The audience builder application 34 may build and transmit an advertiserrequest for processing at the secured private platform. The advertiserrequest may include an audience order, an analytics and metrics request,and/or other request to the secured private platform.

Entities such as advertisers 140 may use the audience builderapplication 34 to create and submit an audience order. For instance, theaudience builder application 34 may provide interfaces and tools forbrowsing the anonymized database 14 and building an audiencespecification. The interfaces and tools may include options forfiltering anonymous users of interest so that advertisers 140 mayidentify and specify users of interest based on the anonymous profilinginformation even if the advertisers do not know the identity of suchusers. In a particular example, an advertiser 140 may input an audiencespecification that targets users who are aged 18-30 and browse sportinggoods items. Other types of profiling data may be used to specifyaudiences as well. Once an audience has been specified, the audiencebuilder application 34 may build a list of anonymous identifiers (suchas unique record identifiers) that are associated with the specifiedprofiling data.

The audience order may include an advertisement specification thatspecifies an advertisement that the advertiser would like to distributevia the secured private platform. The advertisement specification mayinclude an advertiser identifier, advertisement campaign parameters(such as pricing model/information—bid amount, cost per click, cost perimpression, etc., a maximum budget, a starting and/or ending date of thecampaign), the list of anonymous identifiers in which the advertiser maybe interested based on corresponding behavioral data—in these instances,the advertiser may target anonymous users associated with certainanonymized profiling data even though they cannot specifically identifythese users, a type of channel to deliver the advertisement (such as viaemail, social media platform, mobile notification, etc.), advertisingcontent, and/or other information that describes an advertisement to bedistributed. The pricing model may dictate any amounts due to apublisher 150 (if applicable) and rewards that may be due to a user. Forinstance, in a cost-per-click model, the user may be rewarded if theuser clicks on or otherwise interacts with an advertisement, resultingin a fee debit from the advertiser. In a cost per impression model, thereward may be provided to the user if the ad is displayed or otherwiseprovided to the user, whether or not the user clicks on or otherwiseinteracts with the ad. It should be noted that the reward model may beindependent of the pricing model as well, and driven by a smart contracthaving terms agreed to by the user and the secure private platform.

In some instances, the audience order may be persistent unless itexpires or is canceled by the advertiser. While the audience order isunexpired and not canceled, the system may periodically update relevantusers who have profiling data that match the specifications in the orderand who have permitted use of their profiling data.

The analytics and metrics request may be a request to provide analyticsor metrics relating to a specific advertiser request, campaign ofadvertisements, all advertiser requests for an advertiser identifier,and/or other grouping of advertisements. For example, an object type mayalso define an audience of users with a destination of a report oranalysis being created. Audience assembly service is used in those casesthat require access to private data or data secured on the privateblockchain. A handler is created with the analytics data type. Thisallows the audience assembly to perform counts and measurement of theaudience members as it assembles the matching users. This kind of dataanalysis occurs directly on anonymous data stores as well but somescenarios require identity and/or private blockchain transactions to bescored and tallied. For example, if the desire is to create a reportthat shows the age distribution of users that received a reward from aparticular advertiser the advertiser may ask via the audience assembly“What are the age ranges of people that saw my ads last week”. The replyfrom the handler, instead of being a new ad being delivered like in theother scenarios, creates a report that groups the age ranges of thosepeople that received an ad in that time period. Other types of requestsmay be made as well, including queries into the secured privateplatform.

In some instances, the audience builder application 34 may encode therequest as a digital object for input to specific handlers of thesecured private platform. In these instances, the object may include anexpected action to take such as send an email, provide an advertisementvia social media, calculate data or rewards, return a query result, etc.In these instances, the appropriate handler may validate the action asan expected action.

Audience Assembly and Ad Delivery

The audience assembler 36 may take the request as input from theaudience builder application 34 and process the request to deliveradvertisements specified by the request, return a response to a query inthe request, and/or otherwise perform an action specified by therequest. In some instances, the audience assembler 36 may validate theobject to ensure it is a valid object and recognize an object type toroute the object to an appropriate handler 38. In this manner, inputssuch as requests or queries may be well-defined to strictly controlinputs to the system, and therefore strictly controlling correspondingoutputs. The audience assembler 36 may validate the object in variousways. For instance, the object may encode a blockchain transactionidentifier having a payload that includes the request. The audienceassembler 36 may recognize an advertiser that created the blockchaintransaction. Other validation techniques may be used as would beapparent based on the disclosure herein. For the examples that follow,delivering an advertisement will be used for illustrative purposes. Itshould be noted, however, that some handlers facilitate resolvingqueries or generating metrics and analytics reports.

Once it validates the request, the audience assembler 36 may identify aparticular handler to handle the request. For example, the audienceassembler 36 may recognize various properties of the object. Theproperties may include a specification of a type of communicationchannel through which an advertisement should be transmitted. Inparticular, the audience assembler 36 may determine that the objectencodes a request to send advertisements via a social media account. Inthis example, the audience assembler 36 may identify the social mediahandler 38B for the social media platform that hosts the social mediaaccount. In another example, the object recognition module may determinethat the object encodes a request to send advertisements via email. Inthis example, the may audience assembler 36 identify an email handler38B.

Whichever handler is selected, each handler 38 may identify appropriateusers in a similar manner, with specific functionality for each handler38 to facilitate actual delivery of an advertisement. For example, eachhandler 38 may consult the private blockchain 10 and the linkingdatabase 16 to determine whether any of the anonymous identifiersspecified by the request is linked to a user that has authorized use oftheir profiling data. For these users, the linking database 16 willinclude a link between the system-generated user identifier and theanonymous identifier. In some instances, each handler 38 may alsodetermine whether the specific ad being requested has been permitted tobe delivered. For example, the private blockchain 10 may storeindications of specific permissions granted by the user such as adsource, ad type, etc. If the user has granted access to the user's dataand specific permissions for the ad type requested has been granted,each handler 38 may add that user to a list of recipients that shouldreceive the advertisement. The specific manner of delivery may varydepending on the specific handler 38 used to process the request.Furthermore, each handler 38 may provide output that does notspecifically identify the users in the audience that was matched. Inthis manner, in some instances, an advertiser that made an ad order maynot be provided with identities of users in the audience—only that thead was delivered to such users.

Delivery Via Specific Channels

Some requests may require use of personal identifying information suchas a specific communication channel. For example, an advertiser 140 mayspecify in the request that an advertisement be sent to relevant users'social media accounts, email addresses, and so forth (none which theadvertiser does not have access to). If so, an appropriate handler 38may add that user to be a recipient of the specified advertisementthrough the specified channel. For example, for a request to deliver anad through a social media channel, the social media handler 38B may addthe user to a set of users to which an advertisement will be directedthrough their social media account. In some implementations, the socialmedia handler 38B may verify that the requesting advertiser has propersocial media credentials to send ads through the social media platform.In some instances, the social media handler 38B may batch the socialmedia account identifiers (which may be email addresses) that shouldreceive the advertisement and send the batched social media accountidentifiers to an appropriate social media platform to deliver the ads.In some instances, the social media handler 38B may generate a hash ofeach social media account identifier and send the hashes to the socialmedia platform, which matches each hash to an appropriate social mediaaccount to which to provide the ad. Similarly, the email handler 38A mayadd the user to a set of users to which an advertisement will be sent totheir email addresses. Any user who has not supplied such permissionwill not be linked to any of the anonymous identifiers specified in therequest and therefore will not be targeted, ensuring their privacy andpreventing use of their profiling data.

The handler 38 may cause the advertisement to be transmitted through thespecified channel to the targeted recipient. Thus, while the advertiseridentified an anonymous user that should receive an advertisement, theadvertiser does not know who that anonymous user is. The system will beable to link the anonymous user with personal identifiable informationif the user has granted permission to do so.

Targeted Delivery Via the Advertising Queue

Some requests may not require use of personal identifying information,but still target certain users having certain profiling data. Forexample, the request may not specify that a user's communication channelbe used to communicate the ad, but may specify a set of anonymousidentifiers the advertiser wishes to target. In this example, otherhandlers 38N may add the advertisement to a queue of advertisements tobe delivered to users who have permitted use of their profiling data(including any permitted types of ads). For example, the queue may storeadvertisement identifiers that are associated with device identifiers.For example, once a handler 38 has identified a user that should receivean advertisement via a channel other than the

Ads in the queue may be provided to users through a delivery platform150 such as a website that will include the ads. In these instances, ifa user who has permitted use of his profiling data browses the websitethat is affiliated with the secure private platform, the secure privateplatform may provide the website with an ad from the ad queue forpresentation in the website. To do so, the website may implement anagent, such as a Javascript program, that communicates with the secureprivate platform. The agent may obtain the system-generated useridentifier of a user who has permitted the system to use his profilingdata. The system-generated user identifier may be stored locally on theuser device 120 such as through a browser cookie. The agent may transmitthe system-generated user identifier to the secure private platform,which may recognize that the system-generated user identifier haspermitted ad delivery. The secure private platform may determine whetherany ad has been associated with the user's system-generated useridentifier (and ensure any other user-defined settings permit deliveryof this ad), indicating that the ad was targeted for that user based onthe user's profiling data. If so, then the secure private platform maytransmit the ad to the website for presentation to the user.

Any clicks or interactions of the ad may be tracked for paymentpurposes. For instance, the advertiser 140 may be charged per clickaccording to the ad budget in a request, the website may be providedwith a fee for serving the ad, and the user may be provided with areward for agreeing to permit use of his profiling data.

Untargeted Delivery Via the Advertising Queue

Some requests may not require use of personal identifying informationand not target certain users. In this case, processing may continue aswith the targeted delivery via an advertising queue, but without adsbeing previously associated with a system-generated user identifier. Forexample, the agent on a website may detect a system-generated useridentifier and transmit the identifier to the secure private platform.This indicates to the secure private platform that a user is browsing anaffiliate website. The secure private platform may select an ad from ageneral ad queue (one that is not targeted to users having particularprofiling data), check any user-defined settings that permit delivery ofthe ad, and transmit the ad to the website if delivery is permitted tothat user.

Whichever handler 38 is used to process a request, the secured privateplatform will deliver advertisements to users who have permitted used oftheir profiling data while not providing an personal identifyinginformation of the user to the advertiser.

Electronic Ad Marketplace

The electronic ad marketplace 40 may provide electronic interfaces andtools for advertisers 140 and publishers 150 to transparentlyparticipate in an electronic advertising marketplace. For example,electronic ad marketplace 40 may receive advertisement information fromadvertisers 140. The advertisement information may include theadvertisement content in any format (e.g., video, audio, text, graphics,etc.), an electronic address such as a Uniform Resource Locator (URL) tothe advertisement content, metadata relating to the advertisement (e.g.,size, type, format, etc.), advertisement campaign parameters, and/orother information relating to the advertisement that the advertiser 140would like to be provided to users via the secure private platform. Theelectronic ad marketplace 40 may publish the advertisement information,such as by writing the advertisement information to the publicblockchain 12.

The electronic ad marketplace 40 may receive publisher information frompublishers 150. The publisher information may include an electronicaddress of the publisher (such as a URL of the publisher's website), alocation of the space allocation on the website for advertisements, sizeallocated for the advertisement (such as absolute dimensions, relativedimensions, etc.), publishing parameters such as a minimum asking pricefor publishing an ad, subject matter for a given site, and/or otherinformation relating to the publisher. The electronic ad marketplace 40may publish the publisher information, such as by writing the publisherinformation to the public blockchain 12.

In an implementation, electronic ad marketplace 40 may generate one ormore smart contracts based on the advertisement information, thepublisher information, reward information, and/or other information thatmay be used to self-execute an agreement between parties. For example, asmart contract may encode one or more rules that execute terms of acontract if the campaign parameters have been satisfied, the publisher'sparameters have been satisfied, the advertisement has been transmittedto a user, which may occur via a publisher. The terms of the contractmay include the bid amount an advertiser is willing to pay, an amount tobe paid to a publisher, an amount to be rewarded to a user forpermitting use of his profiling data, and/or other terms.

Contract Fulfillment

The ad delivery service 52 may deliver ads to a user. For example, thead delivery service 52 may execute one or more smart contracts.Accordingly, the ad delivery service 52 may provide an ad to the userdepending on the state of each of the ad queues, which were populated byrespective handlers 38, and the trigger conditions encoded by one ormore of the smart contracts.

In some instances, the engagement monitor 54 may monitor user engagementwith an advertisement. For instance, user engagement may include havingbeen presented with an advertisement (such as impression), clicking on alink, inputting a command to retrieve content associated with theadvertisement, or otherwise interacting with a call-to-action of theadvertisement. The engagement monitor 54 may collect metrics relating tothe engagement, such as a number of impressions, a click-through-rate, acost-per-click, a cost-per-impression, and/or other metrics. Suchmetrics may be stored as engagement data in the anonymized database 14.The engagement data may be stored in association with an anonymousidentifier. In this manner, the user may permit (or deny) access to thisengagement data as well. In some instances advertisers 140 and othersmay query the anonymous engagement information and may build audiencesbased on the engagement information or other profiling data.

Satisfying the terms of Ad Marketplace smart contracts will also dependon the integrity of the immutable record and whether or not all sides ofthe contract have not been altered externally from the originally agreedon assets. Smart contracts created in this marketplace will beautomatically invalid if, for example, the checksum and/or properties ofthe image that was defined for the marketplace has changed.

Whether the ad delivery service 52 transmitted the ad through a specificchannel or the ad queue, the blockchain processor 50 may generate atransaction that includes a payload that specifies that theadvertisement was transmitted to and/or interacted by the user. Forexample, the payload may indicate that a user associated with theanonymous identifier was provided with an advertisement. Furthermore,the blockchain processor 50 may cause appropriate debits from theadvertiser, credits to any delivery platform, and any rewards for theuser to be provided. These transactions may be self-executed accordingto a predefined smart contract and recorded on a public distributedledger. In this manner, the advertiser can verify that the advertisementwas delivered, open consult the fee provided to any delivery platform,and also verify rewards provided to the user. Other relevantstakeholders may similarly verify the transactions as well.

Each request handler may be specifically compiled or otherwiseinstantiated by the system. Thus, new handlers may not be added unlessspecifically compiled or instantiated, improving security of the securedprivate platform.

User Scoring

In an implementation, the user scoring engine 55 may generate a userscore that indicates an assessment of the quality of the data knownabout the user. The user score may be expressed as a numeric score, aletter score, and/or other type of score that can quantitatively assesthe quality of the data known about the user. For example, the userscore may reflect the amount of profiling data such as browser data,connected networks, purchase and interests data, demographic data,and/or other information known about the user. Generally speaking, themore that is known about the user, a value of the user score will begreater than if less is known about the user.

In an implementation, the user score may be used to affect a rewardprovided to the user. For example, a user having a greater value userscore may be provided with a greater reward than a user having a lowervalue user score. In some instances, the user score may be used byadvertisers to screen audiences. For example, an advertiser may targetusers that have a minimum user score. In this manner, the advertiser maytarget users whose quality of data meets a certain value.

To an extent, the user may influence his user score by permitting moreaccess to the user's data, using the system to conduct onlineactivities, and/or otherwise providing more access to the user's data.In this manner, the user may seek to maximize his rewards by allowingmore access, or more tightly control such access but receive lessrewards. In this manner, the system facilitates control by the user ofthe user's data while incentivizing the user to permit greater levels ofaccess.

Publisher API and Tools

In an implementation, the publisher API 56 may provide interfaces andtools for publishers to customize the experience for users browsingtheir site. For example, the API 56 may communicate with publisheragents (such as Javascripts or other application operating on a userdevice) operating at the publisher sites. The secure private platformmay provide the publisher agents to a publisher 150, which implement theagents on its sites.

The publisher agents may be customized to interact with users who visit(in other words is in electronic communication with) a publisher's 150site. For instance, a publisher agent may be customized to ask a userwhether they would like to share a reward in exchange for permission toserve ads on the site. If the user agrees, the publisher 150 and theuser may share rewards resulting from ad delivery and/or interaction.The publisher agent may be customized to ask a user to participate inthe secure private platform and offer to register the user to enroll touse the platform. In this manner, the user may be enrolled and providepermission to use profiling data. In some instances, the publisher agentmay perform similar functions as the profiling agents 126, in that asystem-generated user identifier may be stored and detected on the userdevice 120.

To facilitate the foregoing, in an implementation, the publisher agentmay determine whether a user is an enrolled user. If yes, then thepublisher agent may obtain the system-generated user identifier.Alternatively or additionally, the publisher agent may check on a user'sstatus via a call to publisher API 56 to obtain the status. Thepublisher agent may determine whether the publisher's site iswhitelisted or blacklisted. If whitelisted, the publisher agent mayreceive, from the publisher API 56, a meta payload including asystem-generated user identifier of the user, approved domains andsubdomains, whether payment has been approved for the user, customdomain information (such as whether the user is a subscriber to thesite), and/or other information. If the site is blacklisted, thepublisher agent may request that the user whitelist the site. In someinstances, the publisher agent may request that the user remove or addpaywall, which is a subscription service required to access a site. Ifthe paywall is added, then ads may be removed. If a paywall is removed,then the user may be asked to permit presentation of ads. In someinstances, the whitelists and blacklists may be input by a user as partof the user's settings. In this manner, the user may customize whichpublishers or others may track and/or use the user's data. In someinstances, the user may customize whether publishers or others may trackand/or use the user's data on a global level that affects allpublishers. In this manner, the user may specify privacy settings on amicro or macro (global) level. By doing so, the system may also providean advantage of complying with certain privacy regulations, such as theGeneral Data Protection Regulation of the European Union.

In some instances, the publisher API 56 may provide tools for thepublisher to interface with the electronic ad marketplace 40. Forinstance, the publisher 150 may be provided with calls to the publisherAPI 56 to view and select offers to place ads on a site of thepublisher. In this manner, publishers may be directed connected toadvertisers. In some of these instances, agreements among pricing may beenforced by smart contracts as before, but manually agreed upon firstbefore automatic execution and recordation.

User Device 120

The user device 120 may be operated by a user to interact with theprivate and public blockchains (10, 12) and conduct activity that ismonitored and stored in the anonymized database 14. For instance, theuser device 120 may be programmed by a private wallet 122, a publicwallet 124, one or more agents 126, and/or other components. The privatewallet 122 may be used to interact with data pertaining to the userdevice 120 on the private blockchain 10. For instance, the privatewallet 122 may access a private key to decrypt data on the blockchainthat is intended to be accessed only by the holder of the private key.The private wallet 122 may store a blockchain address, which is used bythe private blockchain 10 to identify the private wallet. The publicwallet 124 may enable access to the public blockchain 12. For instance,the public wallet 124 may be used to view a user's reward balance,interactions with advertisements, and/or other public information storedon the public blockchain 10.

The one or more agents 126 may include programs that monitor activity onthe user device 120 and report this activity to the computer system 110.For example, an agent 126 may include a browser extension, a mobileapplication, a platform-specific application (such as an electronicshopping application), and/or other types of user application that canreport user activity that may be used as profiling data. As one example,the browser extension may be configured as a script that transmitsbrowser history information and a device identifier to the computersystem 110, which stores the browser history information anonymouslylinked to the device identifier in the anonymous database 14.

In some instances, the one or more agents 126 may store a deviceidentifier of an enrolled device. For instance, an agent 126 may storethe device identifier as a browser cookie. If a device identifier is notstored, the agent 126 may determine whether the device is enrolled touse the system. If so, then the device identifier may be obtained fromthe secure private platform and stored as a cookie. If the agent 126determines that the device is not enrolled to use the system, the agent126 may request that the user enroll the device.

FIG. 4 illustrates an example of a process 400 of matching anonymoususer identifiers specified in an audience order with users that havepermitted use of their profiling data, according to an implementation ofthe invention.

In an operation 402, process 400 may include receiving an ad object. Thead object may specify an audience order from an advertiser 140. The adobject may specify, among other things, a listing of unique recordidentifiers of interest. As previously noted, each unique recordidentifier identifies particular profiling data, but does not identifyan individual. Thus the ad object expresses an interest in users thatfit the profiling data, even if the advertiser 140 does not know whothose users are.

In an operation 404, process 400 may include determining whether the adobject is valid. For example, each type of valid ad object may behandled by a particular handler 38, which expects certain types of datafrom known advertisers 140.

In an operation 406, process 400 may include returning an invalidrequest to the requester if the ad object is invalid.

In an operation 408, process 400 may include identifying a handler toprocess the ad object. It should be noted that the identified handlermay perform further validations on the ad object.

In an operation 410, process 400 may include consulting a privateblockchain to determine whether the anonymous profiling data records areassociated with users who have permitted use of their profiling data(and if applicable whether the users have permitted use of the specifictype of profiling data being matched).

In an operation 412, process 400 may include determining whether anymatches exist.

In an operation 414, process 400 may include returning an empty datasetor other indication that no matches were found. In other words, theusers associated with the anonymous profiling data records of interestto the requesting advertiser 140 have not permitted access to suchrecords.

In an operation 416, process 400 may include causing ads to betransmitted to users that have permitted use of the requested profilingdata. For example, process 500 may email users with the advertisement ifthe ad object specified that emails should be sent to users who havepermitted use of the profiling data. If the ad object has not specifieda channel over which to deliver the ad, then the ad may be included anin ad queue to be delivered to relevant users when they visit aparticipating site (such as a website of a publisher 150).

Operation 416 may also include creating aggregate analytics data, dataanalysis or report from the profiling data. For example, process 500 mayfirst generate a list of users who have permitted use of the profilingdata that match specified criteria and then count, sum, average orcalculate statistical or marketing metrics (like lifetime value ofpeople that make home and garden purchases). The result may be to createan html report of the aggregated data with a reference handle based onthe audience request. This report can then be accessed by the advertiserthat requested the audience data.

Although illustrated in FIG. 1 as a single component, a computer system110 may include a plurality of individual components (such as computerdevices) each programmed with at least some of the functions describedherein. The one or more processors 20 may each include one or morephysical processors that are programmed by computer programinstructions. The various instructions described herein are provided forillustrative purposes. Other configurations and numbers of instructionsmay be used, so long as the processor(s) 20 are programmed to performthe functions described herein.

Furthermore, it should be appreciated that although the variousinstructions are illustrated in FIG. 1 as being co-located within asingle processing unit, in implementations in which processor(s) 20includes multiple processing units, one or more instructions may beexecuted remotely from the other instructions.

The description of the functionality provided by the differentinstructions described herein is for illustrative purposes, and is notintended to be limiting, as any of instructions may provide more or lessfunctionality than is described. For example, one or more of theinstructions may be eliminated, and some or all of its functionality maybe provided by other ones of the instructions. As another example,processor(s) 20 may be programmed by one or more additional instructionsthat may perform some or all of the functionality attributed herein toone of the instructions.

The various instructions described herein may be stored in a storagedevice 22, which may comprise random access memory (RAM), read onlymemory (ROM), and/or other memory. The storage device may store thecomputer program instructions (such as the aforementioned instructions)to be executed by processor 20 as well as data that may be manipulatedby processor 20. The storage device may comprise one or morenon-transitory machine-readable storage media such as floppy disks, harddisks, optical disks, tapes, or other physical storage media for storingcomputer-executable instructions and/or data.

For example, the various information described herein may be storedusing one or more databases. The databases may be, include, or interfaceto, for example, an Oracle™ relational database sold commercially byOracle Corporation. Other databases, such as Informix™, DB2 (Database 2)or other data storage, including file-based, or query formats,platforms, or resources such as OLAP (On Line Analytical Processing),SQL (Structured Query Language), a SAN (storage area network), MicrosoftAccess™ or others may also be used, incorporated, or accessed. Thedatabase may comprise one or more such databases that reside in one ormore physical devices and in one or more physical locations. Thedatabase may store a plurality of types of data and/or files andassociated data or file descriptions, administrative information, or anyother data.

The components illustrated in FIG. 1 may be coupled to one another via anetwork, which may include any one or more of, for instance, theInternet, an intranet, a PAN (Personal Area Network), a LAN (Local AreaNetwork), a WAN (Wide Area Network), a SAN (Storage Area Network), a MAN(Metropolitan Area Network), a wireless network, a cellularcommunications network, a Public Switched Telephone Network, and/orother network. In FIG. 1 , as well as in other drawing figures,different numbers of entities than those depicted may be used.Furthermore, according to various implementations, the componentsdescribed herein may be implemented in hardware and/or software thatconfigure hardware.

The various processing operations and/or data flows depicted in FIG. 2(and in the other drawing figures) are described in greater detailherein. The described operations may be accomplished using some or allof the system components described in detail above and, in someimplementations, various operations may be performed in differentsequences and various operations may be omitted. Additional operationsmay be performed along with some or all of the operations shown in thedepicted flow diagrams. One or more operations may be performedsimultaneously. Accordingly, the operations as illustrated (anddescribed in greater detail below) are exemplary by nature and, as such,should not be viewed as limiting.

Other implementations, uses and advantages of the invention will beapparent to those skilled in the art from consideration of thespecification and practice of the invention disclosed herein. Thespecification should be considered exemplary only, and the scope of theinvention is accordingly intended to be limited only by the followingclaims.

What is claimed is:
 1. A system for building anonymized databases andlinking anonymous profiling data records of the anonymized databases tousers who have granted permission to use user data associated with theusers, the system comprising: an anonymized database configured to storeanonymized profiling data of users; a computer system comprising one ormore physical processors programmed to execute stored instructions to:assign a user identifier to a user, wherein the user identifier isprivately accessible at the computer system and inaccessible toadvertisers; assign a first device identifier to a first device of theuser; receive a grant to use first profiling data of the user; store anindication of the grant as a public block in a public blockchain; storea link between the user identifier and the first device identifier basedat least in part on the grant; receive the first profiling data and thefirst device identifier; generate a first anonymous profiling datarecord in the anonymized database, the first anonymous profiling datarecord comprising the first profiling data and a first unique recordidentifier; and store, as a private block in a private blockchain, anassociation between the user identifier and the first unique recordidentifier based at least in part on an existence of the link.
 2. Thesystem of claim 1, wherein the computer system is further programmed to:determine that the first unique record identifier is recorded in theprivate blockchain; and. determine, based at least in part on the firstunique record identifier being recorded in the private blockchain, thatthe user identifier associated with the first unique record identifieris associated with a user who has permitted use of the first profilingdata.
 3. The system of claim 2, wherein the grant is received at a firsttime, and wherein the computer system is further programmed to: receivea revocation of the grant at a second time after the first time; removethe link responsive to the revocation; receive second profiling data andthe first device identifier at a third time after the revocation;generate a second anonymous profiling data record comprising the secondprofiling data and a second unique record identifier, wherein the secondprofiling data is not linked to any user.
 4. The system of claim 3,wherein each of the first profiling data and the second profiling datais generated based on corresponding activity associated with the firstdevice.
 5. The system of claim 4, wherein the second profiling data isgenerated based on activity associated with the first device that occursafter removal of the link.
 6. The system of claim 1, wherein the firstprofiling data comprises at least one of user behavioral data, userdemographic data, or user location data.
 7. The system of claim 6,wherein the first profiling data comprises the user location data, andwherein the user location data comprises at least one of a currentlocation of the first device or a historical location of the firstdevice.
 8. The system of claim 1, wherein the computer system is furtherprogrammed to: store, in the public blockchain, a date of the grant touse the first profiling data, a type of personally identifiableinformation in the first profiling data that the user has permitted tobe used, and a duration of the grant.
 9. The system of claim 1, whereinthe grant is a first grant and the first profiling data is generatedfrom activity of the first device, and wherein the computer system isfurther programmed to: determine that a second device of the user hasaccessed a participating platform; receive a second grant to use secondprofiling data of the user, wherein the second profiling data isgenerated from activity of the second device; send a request to thesecond device for the user identifier; receive, from the second device,the user identifier; assign a second device identifier to the seconddevice; and store a link between the user identifier and the seconddevice identifier based at least in part on the second grant.
 10. Thesystem of claim 9, wherein the computer system is further programmed to:receive a revocation of the first grant; and remove the link between theuser identifier and the first device identifier based at least in parton the revocation of the first grant.
 11. A method for buildinganonymized databases and linking anonymous profiling data records of theanonymized databases to users who have granted permission to use userdata associated with the users, the method comprising: assigning a useridentifier to a user, wherein the user identifier is privatelyaccessible at the computer system and inaccessible to advertisers;assigning a first device identifier to a first device of the user;receiving a grant to use first profiling data of the user; storing anindication of the grant as a public block in a public blockchain;storing a link between the user identifier and the first deviceidentifier based at least in part on the grant; receiving the firstprofiling data and the first device identifier; generating a firstanonymous profiling data record in an anonymized database configured tostore anonymized profiling data of users, the first anonymous profilingdata record comprising the first profiling data and a first uniquerecord identifier; and storing, as a private block in a privateblockchain, an association between the user identifier and the firstunique record identifier based at least in part on an existence of thelink.
 12. The method of claim 11, further comprising: determining thatthe first unique record identifier is recorded in the privateblockchain; and. determining, based at least in part on the first uniquerecord identifier being recorded in the private blockchain, that theuser identifier associated with the first unique record identifier isassociated with a user who has permitted use of the first profilingdata.
 13. The method of claim 12, wherein the grant is received at afirst time, the method further comprising: receiving a revocation of thegrant at a second time after the first time; removing the linkresponsive to the revocation; receiving second profiling data and thefirst device identifier at a third time after the revocation; generatinga second anonymous profiling data record comprising the second profilingdata and a second unique record identifier, wherein the second profilingdata is not linked to any user.
 14. The method of claim 13, wherein eachof the first profiling data and the second profiling data is generatedbased on corresponding activity associated with the first device. 15.The method of claim 14, wherein the second profiling data is generatedbased on activity associated with the first device that occurs afterremoval of the link.
 16. The method of claim 11, wherein the firstprofiling data comprises at least one of user behavioral data, userdemographic data, or user location data.
 17. The method of claim 16,wherein the first profiling data comprises the user location data, andwherein the user location data comprises at least one of a currentlocation of the first device or a historical location of the firstdevice.
 18. The method of claim 11, further comprising: storing, in thepublic blockchain, a date of the grant to use the first profiling data,a type of personally identifiable information in the first profilingdata that the user has permitted to be used, and a duration of thegrant.
 19. The method of claim 11, wherein the grant is a first grantand the first profiling data is generated from activity of the firstdevice, the method further comprising: determining that a second deviceof the user has accessed a participating platform; receiving a secondgrant to use second profiling data of the user, wherein the secondprofiling data is generated from activity of the second device; sendinga request to the second device for the user identifier; receiving, fromthe second device, the user identifier; assigning a second deviceidentifier to the second device; and storing a link between the useridentifier and the second device identifier based at least in part onthe second grant.
 20. The method of claim 19, further comprising:receiving a revocation of the first grant; and removing the link betweenthe user identifier and the first device identifier based at least inpart on the revocation of the first grant.